Prebuilt rules
Elastic maintains a library of prebuilt detection rules mapped to the MITRE ATT&CK framework. Enabling prebuilt rules is the fastest path to detection coverage and the recommended starting point before building custom rules. You can browse the full prebuilt rule catalog to see what's available.
- Prebuilt rule components
- Learn how prebuilt rules are organized with tags, what data sources they need, and how to use their investigation guides.
- Install prebuilt rules
- Start here to install and enable prebuilt rules. Includes a subscription capability matrix showing which features are available at each tier.
- Update prebuilt rules
- Apply Elastic's rule updates to keep your detection coverage current. Explains how to review updates, handle modified rules, and resolve conflicts (Enterprise only).
- Prebuilt rules in air-gapped environments
- Install and update prebuilt rules in air-gapped environments without internet access.
- Customize prebuilt rules
- Adapt prebuilt rules to your environment. Edit rules directly or revert to the original Elastic version (Enterprise on Elastic Stack 9.1+, or Security Analytics Complete on Serverless), duplicate and modify copies, add exceptions, or configure actions.